Win32: Alureon - CE [Rtk]

Hello everyone. I’m new here. :slight_smile:

I need a little help. I tried to run a virus scan with my Avast a few days ago and when it was doing it’s memory test it found a Win32: Alureon-CE [Rtk] and in the type it said Rootkit. I’m not necessarily educated on this kind of thing, so I googled it and in the process of trying to find some help it would redirect me to other ad sites. So, I have to copy the links to get to the direct link.

Well, another bummer is when I tried to move the virus to the chest it told me something along the lines of “Maximum number of secrets have been exceeded” and now I have no clue what that means.

Then, I try to use my trusty Malwarebytes and it finds the virus and asks me to remove them, and I do. I go through the whole boot process and when I’m finally all started up, I still have the same problems.

Help? :frowning:

Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
What avast! version and virus database are you using? (see About dialog of avast!)

Also, what happened with the boot time scanning? Didn’t avast detect it? Or just you can’t send it to Chest?

The file name is c:\windows\system32\geyekrqcqouigs.dll and I’m using Avast! version 4.8 Home Edition and VPS.

& It can’t send it to the chest at all.

Hi youfruitloop,

Here is a description of the virus and what it does:
http://www.threatexpert.com/report.aspx?md5=e898ae875629d51987198262f8413f00

This trojan is associated with the dangerous TDSServ RootKit.

Download and execute HiJack This! (HJT): http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Then post the contents of the HJT log as an attached txt file to be analyzed,

polonus

Can you directly delete the file? It’s infected (by the name itself…).

Try with a rescue CD.
Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD’s:

  1. Avira
  2. Kaspersky
  3. BitDefender
  4. F-Secure
  5. Dr. Web

Here’s the HiJack This log.

Hi this may be the new variant which can be a right nightmare to kill

I would like you to download combofix as per the instructions below, but when you download it rename it to winlogon This is important

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

When you get the situation resolved you’re using Windows SP2 that has several security vulnerablilities and Windows SP3 has been available for over a year that has perfomance enhancements and several Critical Security Updates so in IE go to Tools then Windows Update then download and install all updates.

Go to Control Center then Security Center then set it to Automatic Updates (Recommended) or at least Notify me about updates but do not download nor install them.

IE8 is now available an it has more security than IE6:
http://www.microsoft.com/windows/Internet-explorer/default.aspx

Run Secunia Online Software Inspector to see what other applications have vulnerabilities:
http://secunia.com/vulnerability_scanning/online

Hi youfruitloop,

Manual cleansing instructions to check after fully following up essexboys’ intructions,
see attached txt file.

How Did My PC Get Infected with TDSServ?
The following are the most likely reasons why your computer got infected with TDSServ:
Your operating system and Web browser’s security settings are too lax.
You are not following safe Internet surfing and PC practices.
Downloading and Installing Freeware or Shareware
Small-charge or free software applications may come bundled with spyware, adware, or programs like TDSServ. Sometimes adware is attached to free software to enable the developers to cover the overhead involved in created the software. Spyware frequently piggybacks on free software into your computer to damage it and steal valuable private information.
Using Peer-to-Peer Software
The use of peer-to-peer (P2P) programs or other applications using a shared network exposes your system to the risk of unwittingly downloading infected files, including malicious programs like TDSServ.
Visiting Questionable Web Sites
When you visit sites with dubious or objectionable content, trojans-including TDSServ-, spyware, and adware, may well be automatically downloaded and installed onto your computer,
If some files cannot be deleted this should be done at bootup through the use of for instance avenger.
You will be guided through this process in the malware cleansing routine…

polonus

Yet another difficulty.

When I try to open ComboFix I get this error “Incompatible OS. ComboFix only works for workstatons with Windows 2000 and XP.”

But, I have XP…

:confused:

Hi youfruitloop,

The rootkit can disable ComboFix as ComboFix. Did you rename ComboFix to winlogon as you downloaded it? This mighty important else the virus will NOT let you run ComboFix, so the renaming is to circumvent the disabling of ComboFix. Capito?

polonus

[list][list][list]I was afraid of that. I will need you to run two programmes now. The first should give me the name of the main driver and the second the associated file

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

[]Click on the Log tab.
[
] In the Write to log box select all items.
[] Click on the Create Log button on the bottom right.
[
] After a few seconds a new Window should appear.
[] Make sure Scan all drives is selected and click on the Start button.
[
] When it is complete a new Window will appear to indicate that the scan is finished.
[*] The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

THEN

Download avz4.zip from here

[*]Unzip it to your desktop to a folder named avz4
[*]Double click on AVZ.exe to run it.
[*]Run an update by clicking the Auto Update button on the Right of the Log window:
http://rathat.geekstogo.com/images/AVZupdate.jpg

[*]Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

[*] Start AVZ.

[] Choose from the menu “File” => "Standard scripts " and mark the “Healing/Quarantine and Advanced System Analysis” check box.
[
] Click on the “Execute selected scripts”.
[] Automatic scanning, healing and system check will be executed.
[
] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[
] All applications will work properly after the system restart.

When restarted

[*] Start AVZ.

[] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Analysis” check box.
[
] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

upload both files to mediafire for me to download

Virusinfo_syscheck.zip: http://www.mediafire.com/?m2d09dc0xm1
Virusinfo_syscure.zip: http://www.mediafire.com/?oltzxtnmrjm
Sysprot Log txt document: http://www.mediafire.com/?m0ndyumng59

I hope I uploaded the right files. :slight_smile:

Good start both programmes functioned well

AVZ FIX

[*] Double click on AVZ.exe
[*] Click File > Custom scripts
[*] Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 SetServiceStart('geyekrkcdjbpfa', 4);
 StopService('geyekrkcdjbpfa');
 DeleteService('geyekrkcdjbpfa');
 BC_DeleteFile('C:\WINDOWS\system32\drivers\xydgc.sys');
 DeleteFile('C:\WINDOWS\system32\drivers\xydgc.sys');
 BC_DeleteFile('C:\WINDOWS\Temp\geyekrevspquepmq.tmp');
 DeleteFile('C:\WINDOWS\Temp\geyekrevspquepmq.tmp');
 BC_DeleteFile('C:\WINDOWS\Temp\geyekrdieexornsd.tmp');
 DeleteFile('C:\WINDOWS\Temp\geyekrdieexornsd.tmp');
 BC_DeleteFile('C:\WINDOWS\system32\geyekrwhvnivpq.dat');
 DeleteFile('C:\WINDOWS\system32\geyekrwhvnivpq.dat');
 BC_DeleteFile('C:\WINDOWS\system32\geyekrqcqouigs.dll');
 DeleteFile('C:\WINDOWS\system32\geyekrqcqouigs.dll');
 BC_DeleteFile('C:\WINDOWS\system32\geyekrlaixwbrf.dll');
 DeleteFile('C:\WINDOWS\system32\geyekrlaixwbrf.dll');
 BC_DeleteFile('C:\WINDOWS\system32\geyekriororskq.dat');
 DeleteFile('C:\WINDOWS\system32\geyekriororskq.dat');
 BC_DeleteFile('\\?\globalroot\systemroot\system32\geyekrqcqouigs.dll');
 DeleteFile('\\?\globalroot\systemroot\system32\geyekrqcqouigs.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[*] Note: When you run the script, your PC will be restarted
[*] Click Run
[*] Restart your PC if it doesn't do it automatically.

ON COMPLETION

[*] Start AVZ.

[] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Analysis” check box.
[
] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

virusinfo_syscheck.zip: http://www.mediafire.com/?fgp13500c1a

Hi

I’m having the same problem as the OP but my file is different. It’s is c:\windows\system32\geyekrjlnmxtbv.dll

I have downloaded and run the scans as instructed by essexboy and have uploaded the files here:

avz4 and sysprot files

Any help would be appreciated :slight_smile:

OK AVZ failed so lets try a different route youfruitloop - Thunderskins please start a new thread as this could get confusing otherwise

  1. Please download The Avenger2 by Swandog46 to your Desktop.
    [*]Right click on the Avenger.zip folder and select “Extract All…”
    [*] Follow the prompts and extract the avenger folder to your desktop
  2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:

Drivers to delete:
geyekrkcdjbpfa

Files to delete:
C:\WINDOWS\system32\drivers\xydgc.sys
C:\WINDOWS\Temp\geyekrevspquepmq.tmp
C:\WINDOWS\Temp\geyekrdieexornsd.tmp
C:\WINDOWS\system32\geyekrwhvnivpq.dat
C:\WINDOWS\system32\geyekrqcqouigs.dll
C:\WINDOWS\system32\geyekrlaixwbrf.dll
C:\WINDOWS\system32\geyekriororskq.dat
C:\WINDOWS\system32\geyekrqcqouigs.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Now, open the avenger folder and start The Avenger program by clicking on its icon.

[*] Right click on the window under Input script here:, and select Paste.
[*] You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.

  1. The Avenger will automatically do the following:
    [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete” or “Drivers to Disable”, The Avenger will actually restart your system twice.)
    [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  2. Please copy/paste the content of c:\avenger.txt into your reply [/b].

Thunderskins I have started a new thread with your fix in it

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP


Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger


Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver “geyekrkcdjbpfa” deleted successfully.

Error: file “C:\WINDOWS\system32\drivers\xydgc.sys” not found!
Deletion of file “C:\WINDOWS\system32\drivers\xydgc.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
→ the object does not exist

Error: file “C:\WINDOWS\Temp\geyekrevspquepmq.tmp” not found!
Deletion of file “C:\WINDOWS\Temp\geyekrevspquepmq.tmp” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
→ the object does not exist

Error: file “C:\WINDOWS\Temp\geyekrdieexornsd.tmp” not found!
Deletion of file “C:\WINDOWS\Temp\geyekrdieexornsd.tmp” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
→ the object does not exist

Error: could not delete file “C:\WINDOWS\system32\geyekrwhvnivpq.dat”
Deletion of file “C:\WINDOWS\system32\geyekrwhvnivpq.dat” failed!
Status: 0xc0000156

Error: could not delete file “C:\WINDOWS\system32\geyekrqcqouigs.dll”
Deletion of file “C:\WINDOWS\system32\geyekrqcqouigs.dll” failed!
Status: 0xc0000156

Error: could not delete file “C:\WINDOWS\system32\geyekrlaixwbrf.dll”
Deletion of file “C:\WINDOWS\system32\geyekrlaixwbrf.dll” failed!
Status: 0xc0000156

Error: file “C:\WINDOWS\system32\geyekriororskq.dat” not found!
Deletion of file “C:\WINDOWS\system32\geyekriororskq.dat” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
→ the object does not exist

Error: could not delete file “C:\WINDOWS\system32\geyekrqcqouigs.dll”
Deletion of file “C:\WINDOWS\system32\geyekrqcqouigs.dll” failed!
Status: 0xc0000156

Completed script processing.


Finished! Terminate.

If you could now download and run a fresh copy of combofix - delete the current copy from your desktop

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif


Double click on Combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt along with a OTL log so we can continue cleaning the system.